Defend your practice against HIPAA violations

Despite changes to the Health Insurance Portability and Accountability Act (HIPAA) that dramatically affect the risk profile of medical practices, many have yet to establish a full arsenal of defenses against data breaches. The simple fact is that failure to update your protections can multiply your vulnerabilities and fines if a breach occurs.

The penalties for a HIPAA violation are real and substantial. For example, a five-physician practice in Phoenix, Arizona, was fined $100,000 for failing to meet HIPAA’s privacy and security requirements. In other cases, fines have been assessed for the loss of thumb drives and laptops containing patient information as well as for poor compliance plans and training.

HIPAA privacy rules established standards for the handling and use of patient information, known as Protected Health Information (PHI). Prior to HIPAA, patient information was regulated by a diverse patchwork of thousands of state and federal laws. HIPAA’s standards enabled the exchange of information among healthcare organizations that assure provenance and integrity of PHI as well as appropriate authorization to share information among practices and/or healthcare organizations.

Unfortunately, many practices lack a comprehensive HIPAA security and privacy compliance program.

Related:Be proactive to avoid HIPAA violations

Although HIPAA compliance can be tailored to the complexity and size of your practice, the use of supposed shortcuts can dramatically increase the risk of problems and penalties. Using boilerplate materials from the Internet that have never been customized for the practice, performing training years ago but never again and not having designated staff members responsible for HIPAA compliance are common failures among smaller practices.

Partner E-Book Download: What if you had a HIPAA incident tomorrow?

Compliance problems are not limited to small practices. Some larger practices assume that information technology (IT) staff members enforce HIPAA when in fact the IT team knows little about clinical operations or procedures to support HIPAA standards.

Small and not-so-small practices are exposed to HIPAA penalties as well as the embarrassment of inappropriate use of patient information. HIPAA problems and compliance issues can even place your electronic health records (EHR) Incentive payments at risk.

HIPAA problems can affect every aspect of your practice. For example:

• Failure to maintain the integrity of your office notes could result in unsubstantiated billings and refunds from your practice to payers.

• In the event of a claim of medical professional liability, poor compliance with HIPAA privacy and/or security could severely undermine your defense against claims.

• Insurance auditors, quality reviews and other reviews of you patient records will depend on practice efforts to protect the integrity of patient information.

• In the worst cases, you patient and service documentation may be misleading and/or dismissed due to HIPAA problems and violations.

HIPAA is not optional or a luxury. In order to meet your HIPAA responsibilities, we will review some key strategies to decrease your HIPAA-related risk.

Supporting HIPAA security and privacy is a key requirement for virtually every practice. Practices make a variety of direct and implied representations that HIPAA privacy and security compliance is in place to other practices, payers and a wide range of related parties. In the event of a problem, the lack of appropriate compliance strategies and processes will expose the practice to a greater level of embarrassment and penalties.

By making HIPAA compliance part of your operational and patient service strategy, you will operate as a more reliable and effective organization while meeting the HIPAA requirements.

NEXT: Update your notice of privacy practices

Update your notice of privacy practices

The “current” Notice of Privacy Practices (NPP) in some practices is years old or was copied from a different practice.

Like all other HIPAA compliance tools, the Notice of Privacy Practices should be customized for the practice and reflect current requirements. If your NPP is dated prior to 2013, or lacks a date at all, then you need to update it. The HIPAA Omnibus rule included new requirements for using PHI that have to be included in the NPP, including:

• The circumstances under which the covered entity can use or disclose PHI. This must reflect the new rules regarding marketing and fundraising activities, the sale of PHI and disclosure to payers.

• An explanation of the patient’s rights and how those rights can be exercised.

• An explanation of the covered entity’s legal obligations.

• A contact person who can provide additional information to the patient.

Additionally, use of an EHR, changes to procedures, and even new service plans may trigger NPP changes.

Related:Senate to review HIPAA security of medical records in light of Anthem breach

Many NPPs lack practice-specific issues and accommodations. For example, even though communications with patients through email is allowed as long as patients understand the risks, the operational aspects of assimilating e-mails of clinical significance with your EHR and/or paper record may be daunting. If you are using a patient portal, you may want to direct patients to the portal and exclude email use in your NPP.

Find a security and privacy officer

HIPAA requires a privacy officer to monitor HIPAA privacy compliance and a security officer for HIPAA security. For smaller practices one person can serve both roles.

The security and privacy officers are the go-to people for HIPAA issues and are responsible for current documents, training, and compliance. As important, the Privacy and Security officers will have to handle and address HIPAA problems, and lead the response to impermissible uses and disclosures as well as breaches.

HIPAA privacy and security officers need to be properly trained as well as involved in developing a compliance program for the practice. The officer(s) are responsible for maintaining relevant policies and procedures as your practice evolves to meet changes in the healthcare industry as well as changes to your practice.

Lack of HIPAA officers or defaulting to an office manager who has not been trained or doesn’t have the time to develop and monitor HIPAA-compliant practice standards will not pass the compliance test.

Responsibilities for the officer include:

• updating privacy and security policies,

• creating a breach/incident log,

• developing a process for providing patients with records when requested,

• updating incident response plans,

• performing a risk assessment, and

• training employees.

NEXT: Update and document policies and procedures

Update and document policies and procedures

Practices are required to maintain documentation on HIPAA policies and procedures used to comply with the requirements. Many practices use boilerplate policies and procedures from various sources and services. However, the key issue is that the practice has to customize the policies and procedures for their own situation.

Related:Ways physicians can stay HIPAA compliant when using mobile devices

Policies and procedures will dramatically differ for a variety of service, operational and technical issues. For example:

• Using billing, EHR, and patient portal products from different vendors requires additional HIPAA security monitoring and tracking.

• Practices using paper charts will have to assure that the paper charts are properly managed and stored.

• Specialty practices that have extensive diagnostic equipment in-house will have to monitor PHI in each piece of equipment.

• Practices that exchange electronic information with labs, hospitals, other healthcare organizations should track the integrity and timely handling of outgoing and incoming electronic information.

• Practices with only one office will not have to address the coordination and office specific operational issues that will be covered in a practice with multiple offices.

HIPAA policies and procedures form the basis for the operational processes that will be used to serve patients.

Conduct training

Common HIPAA compliance problems related to training staff on HIPAA issues include:

• Training that was provided previously, but never repeated.

• New staff is trained on the job, but have no formal HIPAA training.

• No formal policies and procedures for training staff.

• Using a generic HIPAA training program that lacks application to the practice.

HIPAA requires training staff and doctors on practice-specific issues when they are hired as well as refresher courses on a periodic basis. Additionally, changes to the practice could necessitate supplemental training.

Using web meeting services and other technologies, practices can record a training session that can be used to support the HIPAA training requirements. However, general HIPAA training available on the Internet may not address the practice-specific issues that make the difference between compliance and lack of due care.

NEXT: Standardize your end-of-day clinical process

Standardize your end-of-day clinical process

Most practices have an end-of-day practice management process that matches payments with posted transactions and visits with charge entry. The process is used to verify that information has been properly recorded and managed in the medical billing system. An unposted batch or failure to generate claims would be considered a significant problem that must be fixed.

Unfortunately, most practices do not have a clinical end-of-day process to verify that clinical records are being properly maintained. Maintenance lapses could undermine the integrity of patient records and your clinical operations. Items that could be checked on a daily basis include:

• Patient exam notes were signed within an acceptable time.

• Incoming secured messages (Meaningful Use Stage 2) have been reviewed and addressed.

• Incoming electronic lab results (Meaningful Use) have been reviewed and communicated to the patient.

• The practice has sent reminders (Meaningful Use) to patients on overdue patient radiology orders and surgical orders.

Related:Meaningful Use 2: A work in progress for physicians

The end-of-day process should be based on standards established by the physician management. For example, primary care practices may have end-of-day checking for delivery of outgoing referrals while specialty practices may check on patients with overdue procedures

Understand breach consequences

A HIPAA breach is defined as the acquisition, access, use, or disclosure of PHI that is not allowed by HIPAA privacy rules. Breach penalties are capped at $1.5 million per penalty type per year with a sliding scale ($100 to $50,000) per incident. HIPAA Omnibus dramatically changed the breach triggers and HIPAA risks.

Prior to 2013, a breach required financial or reputational harm. HIPAA Omnibus changed the trigger for a breach to a situation where there is NOT a low probability that the PHI has been compromised; a much lower breach trigger.

Additionally, before the HIPAA Omnibus “pre-breach” events were evaluated to determine if a breach has occurred under the practice’s management process and a practice determined standard. No documentation of “pre-breach” events was required.

Related:Healthcare data breaches decline, but ACA could be increasing risks

Now practices must evaluate four aspects (nature of information, the receiving party, possibility of access, and mitigating factors) of any impermissible use or disclosure of PHI (or immediately consider such incident a breach). Your practice must maintain the information on the incident and your analysis of it.

Your practice’s handling of impermissible uses and disclosures and determination of breaches could be used to determine the nature (and penalty) for an actual breach as well as reflect on your HIPAA compliance. Any analysis of your HIPAA efforts could include a review of the analysis of impermissible use and disclosure as well as a look at your policies and procedures, training records, and risk assessments.

If your documentation is poor, not current, or you have avoided acknowledgement of breaches, then your practice could be at risk for higher financial penalties.

NEXT: Develop standard business associate agreements

Develop standard business associate agreements

Business Associates (BA) are non-employees or companies who create, receive, maintain or transmit PHI on behalf of your practice. In most cases, the BA is performing similar services for other parties who are covered under HIPAA.

A significant challenge for small practices is whose business associate agreement (BAA) is used. If you use the vendor’s BAA, you may have to deal with terms that may prove problematic. For example, some vendor BAAs:

• take full advantage of the 60 days to notify your practice of a breach,

• empower the vendor to control the breach notification process that you want to control, and/or

• specify who pays for breach expenses that may conflict with your practice’s interests

Additionally, you may want to monitor “pre-breach” events and vendor remediation efforts to fix problems.

If you use the vendor’s BAA, then you will be dealing with different BAA versions with each vendor and a negotiation process to address issues in each BAA. If you have a practice BAA, you can include the use of your BAA in the negotiation for the vendor services.

All practices should take the following steps regarding BAAs:

• Review and verify your BA relationships whenever you change vendors or service levels with a vendor, and

• Develop your own BAA that can be included in all negotiations with vendors, with the strategy of standardizing these agreements with all vendors.

Perform a security risk analysis

One of the more challenging problems for many practices is meeting the HIPAA security requirements. HIPAA security establishes standards to protect the confidentiality, integrity and accessibility of electronic PHI. To meet the HIPAA Security standards, practices must perform a HIPAA security risk analysis. The analysis is also a Meaningful Use requirement.

Unfortunately, many practices fail to perform an adequate assessment. Indeed, some practices think that use of an EHR alone fulfills the requirement or the EHR vendor takes care of the assessment. Failure to perform an adequate assessment can result in returning meaningful useincentive payments and/or HIPAA financial penalties to the practice. Indeed, an inadequate assessment could multiply penalties by a factor of 10 or more in the event of a HIPAA breach.

Related:Healthcare and pharma cyber security rated worst in S&P 500

In order to complete the assessment, practices need an evaluation tool. Evaluation tools have been developed by system integrators, other vendors and a variety of organizations. Many of these tools seek to minimize the effort and, in some cases, provide a false sense of security that the assessment is valid.

The website HealthIT.gov has an assessment tool (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool) that is the standard practices should consider. The paper version is more than 420 pages but there are strategies practices can use to make the assessment more manageable.

As with all HIPAA activities, you should customize the tool to address the specifics of your organization or practice. For example, use of an EHR cloud service would simplify the assessment compared with practices whose EHR is on in-house computer servers.

NEXT: Maintain constant vigilance

Maintain constant vigilance

HIPAA compliance is not a single task that you get to check off and you are done. HIPAA compliance requires constant vigilance and adjustments to your operations and underlying policies and procedures according to practice changes that affect HIPAA as well as HIPAA changes that affect your practice including:

• Implementing a patient portal

• New EHR software

• EHR software upgrades

• Virtual patient visits over a Skype-like service

• New diagnostic equipment

• Opening a new location

• Adding a Provider that results in changes in clinical services and/or procedures

• An impermissible use or disclosure

• A breach

If you have a change that affects your HIPAA profile, you may need to update your policies and procedures as well as train physicians and staff on the changes. If you have a change to your EHR or computer systems, you may need to update your security risk assessment.

Failure to maintain your HIPAA strategies and procedures could result in weaknesses, HIPAA violations, and penalties.

HIPAA rule violations

Categories & penalty amounts

The Health Insurance Portability and Accountability Act Omnibus Rule establishes four “tiers” of violations, based on what it terms “increasing levels of culpability,” with a range of fines for each tier.

Violations of the same requirement or prohibition for any of the categories are limited to $1.5 million per calendar year.

The language of the rule states that actual dollar amounts will be based on “the nature and extent of the violation, the nature and extent of the resulting harm, and other factors…includ[ing] both the financial condition and size of the covered entity or business associate.”

NEXT:  Myths about security risks

What is a security risk analysis?

A security risk analysis involves analyzing vulnerabilities and threats to your system to safeguard electronic protected health information (EPHI). It means reviewing your policies, practices, and systems and correcting any issues that may make EPHI vulnerable.

• Review existing security of protected health information

• Identify threats and vulnerabilities

• Assess risks for likelihood and impact

• Mitigate security risks

• Monitor results

Myths debunked about security risk analyses

MYTH: The security risk analysis is optional for small providers.

FACT: False. The analysis is required for all providers.

MYTH: Installing a certified EHR fulfills the security risk analysis component.

FACT: False. Security requirements address all EPHI, not just info in your EHR.

MYTH: I only need to do a risk analysis once.

FACT: False. To comply with HIPAA, you must continue to review, modify, and update your security protections.

For more myths debunked, visit: www.healthit.gov